b'OFFICE OF INSPECTOR GENERAL\n                   Audit Report\n Fiscal Year 2013 Audit of Information Security\n        at the Railroad Retirement Board\n\n\n\n      This abstract summarizes the results of the subject audit.\n      The full report includes information protected from disclosure\n      and has been designated for limited distribution pursuant to\n      5 U.S.C. \xc2\xa7 552\n\n\n\n\n                      Report No. 14-03\n                       March 04, 2014\n\n\n\n\n RAILROAD RETIREMENT BOARD\n\x0c                                 REPORT ABSTRACT\n                   Fiscal Year 2013 Audit of Information Security\n                          at the Railroad Retirement Board\nBackground\n\nThe Office of Inspector General for the Railroad Retirement Board (RRB) conducted an\naudit of information security at the RRB for fiscal year (FY) 2013, which is mandated by\nthe Federal Information Security Management Act of 2002 (FISMA).\n\nObjectives\n\nThe objectives of our audit included testing the effectiveness of the information security\npolicies, procedures, and practices of a representative subset of the agency\xe2\x80\x99s\ninformation systems; assessing agency compliance with FISMA requirements and\nrelated information security policies, procedures, standards and guidelines; and\npreparing a report on selected elements of the agency\xe2\x80\x99s information security program in\ncompliance with the Department of Homeland Security\xe2\x80\x99s FY 2013 FISMA reporting\ninstructions.\n\nFindings\n\nOur audit determined that the RRB continues to make progress in implementing an\ninformation security program that meets the requirements of FISMA; yet a fully effective\nsecurity program has not been achieved. The significant deficiencies in the internal\ncontrol structure over the review of the agency\xe2\x80\x99s contractor deliverables associated with\nthe risk management framework, and the security configuration management program\nremain unresolved. We also noted some lesser deficiencies in the RRB\xe2\x80\x99s security\nprogram.\n\nRecommendations\n\nIn total, we made seven detailed recommendations to RRB management related to:\n\n   \xe2\x80\xa2   Strengthening Configuration Management by developing baseline configuration\n       settings and implementing automated capabilities to identify deviations from\n       baseline configurations settings.\n   \xe2\x80\xa2   Ensuring non-user accounts are reviewed periodically including updating the\n       accounts as necessary to ensure account names and descriptions accurately\n       reflect the purpose of the account.\n   \xe2\x80\xa2   Identifying all key data fields for effective management in the agency-wide Plan\n       of Action and Milestones, and strengthening controls to ensure all key fields are\n       required data fields and consistently completed.\n\n\n\n                                            1\n\x0c   \xe2\x80\xa2   Improving the security training process by implementing controls to ensure all\n       contractors complete security awareness training.\n   \xe2\x80\xa2   Updating policies and procedures for role-based training for RRB employees and\n       contractors.\n\n\nManagement\xe2\x80\x99s Responses\n\nAgency management concurs with all recommendations.\n\n\n\n\n                                            2\n\x0c'